AWS Security ChangesHomeSearch

AWS dms documentation change

Service: dms · 2025-04-25 · Documentation medium

File: dms/latest/userguide/CHAP_Serverless.Premigrations.md

Summary

Added section on using KMS keys to encrypt files with example IAM policy for DMS Serverless premigration assessments

Security assessment

The change adds documentation about configuring KMS encryption for data during premigration assessments, which enhances security by describing how to use customer-managed keys. However, there is no evidence of addressing a specific existing vulnerability.

Diff

diff --git a/dms/latest/userguide/CHAP_Serverless.Premigrations.md b/dms/latest/userguide/CHAP_Serverless.Premigrations.md
index 076110886..7af39eeba 100644
--- a//dms/latest/userguide/CHAP_Serverless.Premigrations.md
+++ b//dms/latest/userguide/CHAP_Serverless.Premigrations.md
@@ -5 +5 @@
-Limitations
+Using KMS key to encrypt filesLimitations
@@ -29,0 +30,18 @@ AWS DMS Serverless provides the following optional settings to support pre-migra
+## Using KMS key to encrypt files
+
+To configure `SSE-KMS` for DMS Serverless premigration assessment with a customer-managed key, add a policy statement that grants the DMS service-linked role on your KMS key, enabling secure encryption and decryption of data during the assessment process. You must configure the `kms:GenerateDataKey` and `kms:Decrypt` permissions. See the example below:
+    
+    
+    {
+          "Sid": "AccessForDMSServerlessPremigration",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::<CustomerAccountId>:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless"
+          },
+          "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey*"
+          ],
+          "Resource": "*"
+        }
+